Greetings,
On 8/12/07, Kent Johnson <[EMAIL PROTECTED]> wrote:
> bhaaluu wrote:
> >
> >>>> print chr(eval('65'))
> > A
>
> There is no need to use eval() here. Since the expected values are
> integers, just use int():
> In [6]: chr(int('65'))
> Out[6]: 'A'
>
> This gives a clearer error message when the input is not as expected:
> In [7]: chr(int('How'))
> ------------------------------------------------------------
> Traceback (most recent call last):
> File "<ipython console>", line 1, in <module>
> <type 'exceptions.ValueError'>: invalid literal for int() with base 10:
> 'How'
>
> In general it's a good idea to avoid using eval() especially with user
> input, it is a gaping security hole.
>
> Kent
The original poster posted a post with the following function:
def dec():
import string
message=raw_input("Enter the message to decode: ")
result=''
for x in string.split(message):
result=result+chr(eval(x))
return result
print dec()
which is from the book:
"Python programming: An introduction to CS" by John M. Zelle.
As a Python Noob, I'm obviously ignorant of most of the Python
language, but I wonder why the author of a book would include
a function that is a "gaping security hole," when the int() function
would do the job just as nicely, and without the security concerns?
Of course, I don't know what context the snippet is in because I
don't have a copy of the book in question. But as a Python Noob,
I really do appreciate your heads-up about eval(), and I have it
red-flagged as a 'gaping security' concern, and will use it with
extreme caution in the future. =)
Now for MY question: Besides eval(), are there other functions that
should be 'red-flagged' as well? I just haven't been around Python
long enough yet to become familiar with all of the Standard Library.
Correct me if I'm wrong, but with 29 keywords, and over 176 library
functions, Python weighs-in at over 200 Standard "objects"?
Cheers! =)
--
bhaaluu at gmail dot com
_______________________________________________
Tutor maillist - Tutor@python.org
http://mail.python.org/mailman/listinfo/tutor
